Getting Data In

Timezones - Same Time 3 sites

robertlynch2020
Motivator

Hi

I have 3 office all 1 hour different from each other.
100% of SPLUNK is installed in the middle office. (Paris Time)

Is it possible that when all users log in they only see the time of the middle office (PARIS).
At the moment EPOC time is converted to -1 hour or + 1 pending on the site. Ideally i just want each user to see 100% the same thing.

Thanks
Robert Lynch

0 Karma
1 Solution

woodcock
Esteemed Legend

Make sure that ALL of your events are properly timestamped; this is not as easy as it sounds and most people believe that they are done with this part but they still actually have problems (I have never looked at client data where this has been 100% correct). Splunk always normalizes every event to UTC for indexing (creating the _time field) so all it needs to know is the TZ that is used for each event's timestamp. The Indexers know how to check host OS to determine system clock and will use this if use use DATETIME_CONFIG=CURRENT. Once that is done, you have done the most important and most difficult half of the job by aligning your data so Splunk's knows your events' TZ:
http://docs.splunk.com/Documentation/Splunk/latest/data/Applytimezoneoffsetstotimestamps
NOTE: only newly indexed events are effected by changes to these settings; older events will stay "wrong".

Now for the part that you asked about: you also must tell Splunk your preferred TZ by setting it in Your Name -> Settings -> Time zone. This setting controls both the normalization of the timepicker when you pick settings that are date-relative (e.g. Today, Last 7 days, etc.) and it also changes the time value listed in some views of the Events tab. On the Events tab, find the Raw/List/Table link that is just above your search results and just under the histogram graph and all the way to the left and make sure it is set to List. This will add a column to your search results called Time which will show your preferred normalized timestamp. The timestamp inside the raw event will never change and will always be exactly the way it was when the thing that generated it sent it to splunk. A policy might be enforced that all users use the same setting here so that everyone always sees the same thing.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Make sure that ALL of your events are properly timestamped; this is not as easy as it sounds and most people believe that they are done with this part but they still actually have problems (I have never looked at client data where this has been 100% correct). Splunk always normalizes every event to UTC for indexing (creating the _time field) so all it needs to know is the TZ that is used for each event's timestamp. The Indexers know how to check host OS to determine system clock and will use this if use use DATETIME_CONFIG=CURRENT. Once that is done, you have done the most important and most difficult half of the job by aligning your data so Splunk's knows your events' TZ:
http://docs.splunk.com/Documentation/Splunk/latest/data/Applytimezoneoffsetstotimestamps
NOTE: only newly indexed events are effected by changes to these settings; older events will stay "wrong".

Now for the part that you asked about: you also must tell Splunk your preferred TZ by setting it in Your Name -> Settings -> Time zone. This setting controls both the normalization of the timepicker when you pick settings that are date-relative (e.g. Today, Last 7 days, etc.) and it also changes the time value listed in some views of the Events tab. On the Events tab, find the Raw/List/Table link that is just above your search results and just under the histogram graph and all the way to the left and make sure it is set to List. This will add a column to your search results called Time which will show your preferred normalized timestamp. The timestamp inside the raw event will never change and will always be exactly the way it was when the thing that generated it sent it to splunk. A policy might be enforced that all users use the same setting here so that everyone always sees the same thing.

0 Karma

robertlynch2020
Motivator

Woodcock, sorry for the delay on your great answer.

Before i start changing things, i have to tell you one more factor.

I have created one user = PARIS (CET).
I can log in with this user from PARIS(Via Citrix) Or On my desktop in Dublin (-1H Behind Paris).

I am displaying epoc _time.

From Both DUBLIN and PARIS i see PARIS time, In a timechart graph and this works well.

The issues is when i try to move time using the below command.

          <eval token="form.time_token.earliest">strptime('row.Start',"%m/%d/%Y %H:%M:%S")</eval>
          <eval token="form.time_token.latest">strptime('row.Stop',"%m/%d/%Y %H:%M:%S")</eval>

I have a table with Start[16:45:00] and End[16:51:10] time in it.

When i click on this table to re-drive time, in paris i get what i want. However in Dublin i get Start[17:45:00] and End[17:51:10]. So it pushes the data on + 1.
In the past i put in a + 3600, however as SPLUNK is now gettign bigger in the company i need PARIS to be the main server and all users to see PARIS time and all Action to be on PARIS time.

alt text

alt text

0 Karma

woodcock
Esteemed Legend

The solution to your problem is convert your Start and Stop fields as soon as possible into time_t/epoch using strptime JUST ONCE and from then on out use fieldformat (NOT eval) to change the way that Stop and Start are presented to the user but DO NOT change the value itself. This way when you use them as values for earliest and latest, they still are time_t/epoch and they do not need reformatting/translating and they are still correct because they haven't been converted back-and-forth-and-back-and.... with strptime/strftime calls. If you do this, you should be fine.

0 Karma

robertlynch2020
Motivator

Thanks for this, if fixed this issues. I had epoc stored and i was able to use it to set the time so i did not need to convert it with eval.

However i have another issues that has not arisen in relation to Timezones.

I have made a new question "Timezones issues 1 site, 3 users in different timezones"... I am trying to apply what you said in this question however i am not sure it is the same thing.

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

You can set the user timezone offset in the UI under settings>access controls>users > Time zone
This will offest the display time of the search results in the 'Time' column of the search results relative to the time of the logged event.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...